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We give a Shor-Preskill type security-proof to the quan- 
tum key distribution without public announcement of bases 
[W.Y. Hwang et al, Phys. Lett. A 244, 489 (1998)]. First, 
we modify the Lo-Chau protocol once more so that it finally 
reduces to the quantum key distribution without public an- 
nouncement of bases. Then we show how we can estimate the 
error rate in the code bits based on that in the checked bits in 
the proposed protocol, that is the central point of the proof 
We discuss the problem of imperfect sources and that of large 
deviation in the error rate distributions. We discuss when the 
bases sequence must be discarded. 
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I. INTRODUCTION 

Information processing with quantum systems enables 
what seems to be impossible with its classical counter- 
part In addition to the practical importance, 
this fact has many theoretical and even philosophical im- 
plications 

Quantum key distribution (QKD) [0|J|,|l^,|ll|,|| is 

one of the most important and interesting quantum infor- 
mation processing. QKD will become the first practical 
quantum information processor jl2| . Although the secu- 
rity of the Bennett-Brassard 1984 (BB84) QKD scheme 
had been widely conjectured based on the no-cloning 
theorem , it is quite recently that its unconditional 

security was shown [^5|jl^,|l^. In particular, Shor and 
PreskiU showed the security of BB84 scheme, start- 
ing from a modified form of the Lo-Chau protocol [ p^ , 
by elegantly using the connections among several basic 
ideas in quantum information processings, e.g. quantum 
error correcting codes (QECCs) [^,0 and entanglement 
purification ||21| . 

In the standard BB84 protocol, however, only half of 
the data obtained by using expensive quantum commu- 
nication can be utilized at most. It is clear that it is not 
efficiency but security that is the most important in the 
cryptographic tasks. However, it is meaningful enough 
to improve the efficiency without loss of security. One 
method for the full efficiency QKD is to delay the mea- 
surements in the BB84 scheme using quantum memories. 
This is indeed the original proposal by Bennett and Bras- 
sard 0. However, the quantum memories would be quite 



costly with near-future technology. Another method is to 
assign significantly different probabilities to the different 
bases p2|. Although unconditional security of the scheme 
is given p2| , it has a disadvantage that a larger number of 
key must be generated at once than in the BB84 scheme 
in order to get the same level of security. However, in a 
recently proposed QKD without public announcement of 
basis (PAB) ||2^, we can obtain the full efficiency with 
such problem relaxed. 

The QKD without PAB is a simple variation of BB84 
scheme. In the BB84 scheme, Alice and Bob use differ- 
ent random bases and then discard the cases where the 
bases are not matched. In the QKD without PAB, Alice 
and Bob use bases determined by a prior random key, the 
basis sequence b. When the basis sequence b is used only 
once, it is clear that the scheme is as secure as the BB84 
scheme. However, in this case it is obviously meaningless 
because they have to consume secret key that is as long 
as the generated key. Thus, the problem is that whether 
the basis sequence b can be repeatedly used without loss 
of security. It was shown that it is the case against the 
individual attacks ||2^ and it was suggested that it could 
be against the coherent attacks |Q . The purpose of this 
paper is to give the Shor-Preskill type unconditional se- 
curity proof to the QKD without PAB. The framework of 
the proof is the same as the original one p7[ |. However, we 
modify the Lo-Chau scheme once more to give the QKD 
without PAB. We give three schemes: modified Lo-Chau 
scheme II that reduces to Calderbank-Shor-Steane (CSS) 
codes scheme II The CSS codes scheme II then 

reduces to the QKD without PAB. We argue why we can 
estimate the error rate in the code bits based on that in 
the checked bits in the protocol, that is the central point 
of the proof. This implies that the modified Lo-Chau 
scheme II is secure, completing the proof. We discuss 
the problem of imperfect sources and that of large de- 
viation in the error rate distributions. We discuss when 
the bases sequence must be discarded. Then we give a 
conclusion. 



A. Notation 

In this paper, we use mostly the notations in Refs. 
011 ■ 

The canonical basis of a qubit consists of |0) and 
We define another basis as follows. |0) = (l/\/2)(|0) + |l)) 
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and |1) = (l/y2)(|0) - |1)). The Hadamard transform 
if is a single qubit unitary transformation of the form 

H — {l/\/2){ ^ ) in the canonical basis. This trans- 
formation interchanges the bases |0), |1) and |0), 
/ = (To is the identity operator and = ( ^ q — 

( ^ ),(T2 = ( Q ^'"^ ^^"^ Pauli operators. The 

aa[i) denotes the Pauli operator cr^ acting on the i-th 
qubit where a = 0,x,y, z. For a binary vector s, we let 
al^^ = CT*Ji>cr^/oN • • -(T*? ^, where s, is the i-th bit of s and 

" a{l} a{2) a[n) ' ^ 

The Bell basis states are the four maximally entan- 
gled ones, 1^-=^) = (l/\/2)(|01) ± |10)) and = 
(1/V2)(|00)±|11)). 

Let us consider two classical binary codes, Ci and C2, 
such that {0} C C2 C Ci C F2 where F2 is the binary 
vector space of the n bits. A set of basis for the CSS 
code can be obtained from vectors ti G Ci as follows, v 
(l/|C2|i/2) J2^^C2 \v + w). Note that vi and V2 give the 
same vector if V1—V2 € C2 . Hi is the parity check matrix 
for the code Ci and H2 is that for C2 , the dual of C2. 
Qx,z is a class of QECCs. For v e Ci, the corresponding 
code word is v ^ {1/\C2\^/^) J2vjeC;i-'^y''"\^ + v + w). 

II. THE QKD WITHOUT PUBLIC 
ANNOUNCEMENT OF BASIS 

It is notable that what we are considering in this sec- 
tion is not security but reductions of the schemes. 

Protocol A: Modified Lo-Chau scheme II. 
(1) Alice creates 2n Einstein-Podolsky- Rosen (EPR) 
pairs in the state |<I)+)®2n_ (^2) Alice and Bob are as- 
sumed to be sharing a prior random (27i/r)-bit string, 
the basis sequence b. (2n/r is a positive integer.) Alice 
performs the Hadamard transform on second half of each 
EPR pair for which h is one. (3) Alice repeats the step 2 
r times with the same basis sequence h. (4) Alice sends 
the second half of each pair to Bob. (5) Bob receives 
the qubits and publically announces this fact. (6) Bob 
performs the Hadamard transform on second half of each 
EPR pair for which h is one. (7) Bob repeats the step 6 r 
times with the same basis sequence b. (8) Alice randomly 
selects n of the 2n EPR pairs to serve as check bits to test 
for Eve's interference. Then she announces it to Bob. (9) 
Alice and Bob each measure their halves of the n check 
EPR pairs in the {|0), |1)} basis and share the results. 
If too many of these measurements disagree, they abort 
the scheme. (10) Alice and Bob make the measurements 

frl \r] 

on their code qubits of az for each row r e Hi and ax 
for each row r € H2- Alice and Bob share the results, 
compute the syndromes for bit and phase flips, and then 
transforms their state so as to obtain m (encoded) nearly 
EPR pairs. (11) Alice and Bob measure the EPR pairs in 



the (encoded) {|0), |1)} basis to obtain m-bit final string 
with near-perfect security. □ 

The entanglement purification protocols with one-way 
classical communcations are equivalent to the QECCs 
pl| . The modified Lo-Chau protocol reduces to the CSS 
codes protocol by this equivalence [|l^. However, the 
only difference between the Protocol A and the modified 
Lo-Chau protocol is the following. In the former they use 
the basis sequence b to determine whether they apply the 
Hadamard operation or not, while in the latter they do 
it by their own different random sequences and they use 
only matched bases. We can see that the protocol A 
reduces to the protocol B by the same equivalence. 

Protocol B: CSS codes scheme II. 
(1) Alice creates n random check bits and a random m- 
bit key k. They are assumed to share a prior random 
(2ri/r)-bit string, the basis sequence b. (2) Alice chooses 
n-bit strings x and z at random. (3) Alice encodes her 
key |fc) using the CSS code Qx,z- (4) Alice chooses n 
positions out of 2n and puts the check bits in these po- 
sitions and the code bits in the remaining positions. (6) 
Alice performs the Hadamard transform on the qubits for 
which b is one. (7) Alice repeats the step 6 r times with 
the same basis sequence b. (8) Alice sends the resulting 
state to Bob. Bob acknowledges the receipt of the qubits. 
(9) Alice announces the positions of check bits, the val- 
ues of the check bits, x, and z. (10) Bob performs the 
Hadamard transform on the qubits for which the compo- 
nent of b is one. (11) Bob repeats the step 10 r times with 
the same basis sequence b. (12) Bob checks whether too 
many of the check bits have been corrupted, and aborts 
the scheme if so. (13) Bob measures the qubits in the 
(encoded) {|0), |1)} basis to obtain m-bit final key with 
near-perfect security. □ 

The only difference between the Protocol B and the 
CSS codes protocol |l^ is the following. In the former 
they use the basis sequence b to determine whether they 
apply the Hadamard operation or not, while in the latter 
they do it by their own different random sequences and 
they use only matched cases. We can see that the pro- 
tocol B reduces to the following protocol C in the same 
way as the modified CSS codes protocol reduces to the 
BB84 protocol. 

Protocol C: QKD without public announcement of ba- 
sis 

(1) Alice creates 2n random bits. Alice and Bob are shar- 
ing a prior random (2n/r)-bit string, the basis sequence 
6. (2) Alice encodes each random bit to qubits using the 
basis sequence b. That is, when the random bit is (1) 
and the corresponding component of the basis sequence 
b is zero, she creates a qubit in the |0) (|1)) state. When 
the random bit is (1) and the corresponding component 
of the basis sequence b is one, she creates a qubit in the 
|0) (|1)) state. (3) Alice repeats the step 2 r times with 
the same basis sequence b. (4) Alice sends the resulting 
qubits to Bob. (5) Bob receives the 2n qubits and per- 
forms measurement Sz or Sx if the corresponding compo- 
nent of the sequence b is zero and one, respectively. Here 
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Sz (Sx) is the orthogonal measurements whose eigenvec- 
tors are |0) and |1) (|0) and |1)). (6) Bob repeats the 
step 5 r times with the same basis sequence 6.(7) Ahce 
decides randomly on a set of n bits to use for the proto- 
col. Then she announces it. The other n qubits are used 
as check-bits. (8) Alice and Bob announce the values of 
the their check-bits. If too few of these values agree, they 
abort the protocol. (9) Alice announces u + v, where v 
is a string consisting of randomly chosen code-bits, and 
M is a random code word in Ci. (10) Bob subtracts u + v 
from his code-bits, v + e, and corrects the result, u + e, 
to a codeword in Ci. (11) Alice and Bob use the coset 
of each u-\- C2 as the key. In this way, they obtain m-bit 
string. □ 

III. THE SECURITY OF THE QKD WITHOUT 
PAB 

Since we have shown the reduction of protocols A — > 

— > C, it is sufficient for us to show the security of 
the protocol A here. Arguments in the following arc for 
entanglement purifications in the protocol A, thanks to 
which we can deal with the coherent attacks. 

We briefly remind the classicalization of statistics that 
is stressed by Lo and Chau . Then we will see that 

remaining arguements are similar to what we used for the 
individual attacks p3[ . 

First, let us review the classicalization of statistics in 
the Shor and Preskill proof . What we consider is the 
interaction of qubits {ip) of Alice and Bob and quantum 
probes |e) of Eve. In general, the state after any interac- 
tion by a unitary operator U can be decomposed [ p6|j27| 
as 

U\tp)\e) = X!'^{'=}^'=i(i)^fc2(2) ■ ■ ■ c^fc.(n)IV')|e{fc}). (1) 
{fc} 

Here {k} is the abbreviation for the /ci, A:2, fc„ with 
ki = 0,1,2,3 {i = 1,2, ...,n), and ctq = I, cti = a^, 
1^2 — cTy, (T3 = CTz. The C{fe}'s are coefficients. The vec- 
tors |e{fe}) are nomalized but not mutually orthogonal 
in general. Since Eq. (|l|) is just the geneal decomposi- 
tion of a vector by complete bases, it is clear that the 
interaction described in Eq. (|^) includes the case of the 
coherent attacks as well as individual attacks. It is no- 
table that Eve can make her quantum probes interact 
with Alice and Bob's qubits only when she has access 
to their qubits. In other words. Eve cannot modifty the 
interaction after the qubits left her. This is in contrast 
with the fact that Eve can choose the measurement bases 
even after the qubits left. Therefore we need not worry 
about Eve's later choice if our consideration is for the 
interaction term Eq. (|l|). What Eve can do is only to 
control the coefficients C|fei,'s as she likes. 

Let us note that the each state (Tk-^(^i-jak2{2) • • 
is an eigenstate of the measurements that are performed 
here. The qubits are initially prepared in the state |$+) 



that is one of the Bell states. The set of the Bell states 
are closed for Pauli operations on a qubit. Thus each 
qubit in the protocol that has undergone a certain Pauli 
operation is one of the Bell states. On the other hand, the 
measurements performed in the checking steps is equiva- 
lent to the Bell measurements Therefore, as long as 
the checking measurements are concerned, the state in a 
mixed state 

P = X! IQfe}l^'^fci(l)'^fc2(2) • ■ • 0-fc„(«)|V')(V'|o-fci(i)Crfe2(2) 

{fc} 

■ ■ ■^fc„(n)! (2) 

gives rise to the same results as the pure state in Eq. 
(|l|). This is the basis for the classicalization of statis- 
tics [^,|5|, as a result of which it is sufficient for us 
to consider classical distributions given by probabilities 

P{k} = |C'{fc}P • 

Once the classicalization of statistics is obtained, it is 
not difficult to see that the modified Lo-Chau protocol II 
is secure. In the case of the BB84 protocol, they estimate 
the error rate, or the ratio of cr's that are not identity 
operator / among the <Jki{i)'Jk2(2) ■ ■•Cfc„(„)'s, by doing the 
checking measurement on some randomly chosen subsets 
of the qubits. If Eve's operation on a checked qubit is the 
identity /, the probability to give rise to error is zero. If 
Eve's operation on a checked qubit is not the identity /, 
it will give rise to errors probabilistically: If the basis 
matches it will induce no error but if the bases do not 
match it will. (More precisely, the probabilities to give 
rise to errors is 1/2, 1/2, and 1, respectively, for cTz, <Jx, 
ay operations.) What Eve wants to do is to minimize the 
number of errors in the check bits for a given number of 
non-identity operations. However, since the checked bits 
and the bases are randomly chosen by Alice and Bob, 
Eve knows nothing about them while she has access to 
the qubits of Alice and Bob. Thus we can assume that 
the error rate of the checked bits represents that of the 
code bits, that is a crucial point in the security proof. 

Let us now consider the Protocol A. The Protocol A 
to the first round is obviously stronger than the modi- 
fied Lo-Chau protocol. Thus it is clear that to the first 
round the Protocol A is as secure as the modified Lo- 
Chau protocol. Let us consider the second round. Here 
one may worry about that Eve can extract some informa- 
tion about the basis sequence b after the first round. It 
is obvious that if Eve knows the basis sequence b she 
can successfully cheat. It is because in this case she 
can control the probabilities P{fc}'s so that more bases 
are matched or the probability to be detected decreases. 
However, no matter how many rounds are performed Eve 
can extract no information on the basis sequence b by any 
quantum operations in the ideal case p3[ |: The ensemble 
of qubits with different bases give rise to the same den- 
sity operators. (We will discuss the non-ideal case in the 
next section. Also note that all public discussions be- 
tween Alice and Bob are performed after all qubits have 
arrived at Bob in the proposed protocol.) So we don't 
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have to worry about this point. Now what Eve knows is 
that the same basis sequence b is used repeatedly. That 
is, she knows which and which qubits are in the same ba- 
sis although she does not know the identity of the basis. 
Now the problem is that whether Eve can induce statis- 
tically smaller number of errors in the checked bits for 
a given number of non-identity operators in the second 
round than in the first round. However, we can see that 
she cannot do so because she does not know which basis 
it is anyway and thus the probabiltity that the basis are 
not matched is still 1/2. For example, let us consider 
the first two qubits in the first and second round. If 
Eve's basis and the basis of checked bit is matched (not 
matched) then the probability that it is to be detected is 
zero (non-zero) . Even if Eve knows that the two qubits 
are in the same basis, that information is not helpful in 
decreasing the expected error rate since the probabiltity 
that the basis are not matched is still 1/2. Eve's best 
strategy here is to choose the same operations for the 
two qubits. Then although the average error rate is not 
changed, the deviation of the probabilistic distribution 
will be increased. (We will discuss about the problem of 
the large deviation in the next section.) We can easily 
see that the same argument applies to remaining qubits 
and all qubits in the later j-th rounds {j ~ 3, 4, 5, r). 
Therefore we can safely estimate the error rate in the 
code bits based on that in the checked bits, as we did in 
the modified Lo-Chau protocol |0 . 

IV. DISCUSSION AND CONCLUSION 

Let us consider the problem of the imperfect sources. 
As noted in the previous section, the following fact is 
crucial for the QKD without PAB. The two ensemble of 
states, that is, the equal mixture of the |0) and |1) and 
that of the |0) and |1) are equivalent to each other and 
thus cannot be distinguished in any case. This is valid 
when the sources are ideal. However, there must be a 
certain amount of imperfection in the source. In this 
case some amount of information on the basis sequence 
b can be leaked to Eve, making the scheme insecure [ p8[ . 
However, we give a practical method to overcome this 
problem. It is not difficult to generate pairs of qubits in 
one of the (imperfect) Bell state, for example, the l^'^) 
state, with current technologies [Q. Alice can gener- 
ate the qubits to be sent to Bob in the following way. 
First she prepares pairs of qubits in the (imperfect) 1$''') 
state and she performs either the measurement Sz or 
on one qubit of each pair. Here Sz (S^) is the orthogo- 
nal measurements whose eigenvectors are |0) and |1) (|0) 
and |1)). She sends the other unmeasured qubits to Bob. 
Bob's ensemble of qubits generated by Sz (Sx) is a mix- 
ture of imperfect |0) or |1) (either |0) or |T)). However, 
these two ensembles cannot be distinguished in princi- 
ple. It is because Alice's different choice of measurement 
cannot change the density operator of Bob's ensemble. 



Thus at least the problem of leakage of the information 
about the basis sequence b can be overcome. However, 
this does not mean that the QKD without PAB with 
imperfect source is secure. This problem is beyond the 
scope of this paper. The Shor-Preskill paper |1^] shows 
the security with perfect sources only. The security with 
imperfect source has been dealt with recent ly j29 | . 

Next, let us compare the efficient QKD |22) with the 
QKD without PAB. In the former, they obtain the ef- 
ficiency -I- (1 — e)^ for a given < e < 1/2. The 
number of check bits in the other basis is proportional to 
e^. Thus, when e is small, namely when the efficiency is 
nearly full, the former would have the problem of small 
number of samples for data analysis. In order to obtain 
enough security, therefore, they have to distribute a large 
number of qubits at once. In the latter we have a similar 
problem in a different way, as we noted in the previous 
section. That is, if Eve had chosen the same operation 
for the qubits with the same bases, the deviation in the 
probabilistic distribution of the error rate of the checked 
bits would be larger than that of the BB84 protocol, for 
a given number of total data, n. However, the random 
sampling process to estimate the error rate in the first 
round with n/r bits will be at least as good as that of 
the BB84 protocol with the same n/r bits. That is, the 
error rate deviation of the QKD without PAB with r 
rounds of n/r bits will be at least as small as that of the 
BB84 protocol with n/r bits. (We can see that the former 
is strictly smaller than the latter.) Therefore, provided 
that the length n/r of the basis sequence is long enough 
we can say that the proposed protocol is secure. 

If the error rate in the checked bits is too high because 
of noise on the communication line or because of Eve, 
the protocol is aborted. One may worry about that some 
information about the basis sequence has leaked to Eve 
in this case. If Alice use again the random bits to be 
encoded (in step (1) of the Protocol C) with the same 
basis sequence 6, it amounts to that the qubits in the 
same state are repeatedly used. Then it is simple for Eve 
to get information about the basis sequence. However, 
if the random bits are newly generated everytime, the 
two ensembles of qubits corresponding to different bases 
have the same density operator / and thus they cannot be 
distinguished, as we have discussed. Therefore, as long 
as Alice uses the ramdom bits to be encoded only once, 
they don't have to discard the basis sequence b even after 
the protocol had been aborted because of high error rate. 

However, it should also be underlined |2^] that the 
basis sequence has to be discarded after the final key 
is used for encrypting a message, because a ciphertext 
gives partial information about the key by which it is 
encrypted. The information about the key can then used 
to extract information about the basis sequence b. 

In conclusion, we have given a Shor-Preskill type 
security-proof to the quantum key distribution scheme 
without public announcement of basis |^^. We have 
given the modified Lo-Chau protocol II. This scheme re- 
duces to the CSS codes scheme II that reduces to the 
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QKD without PAB. We have reviewed how the classi- 
cahty is obtained in the Shor-Preskill type proof. Using 
the classicahty we argued how we can estimate the er- 
ror rate in the code bits based on that in the checked 
bits in the modified Lo-Chau protocol II. Since remain- 
ing arguments are the same, this completes the proof. 
We discussed the problem of imperfect source and that 
of necessity of generation of a large number of data. We 
discussed when the bases sequence must be discarded. 
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